Recent news reports have stated that a hacker allegedly connected to China has been involved in exploiting two popular vulnerabilities. The purpose of such exploits is to target US defense contractors and other government entities and institutions in Asia and the UK. According to these reports, researchers believe the hacker is backed by the state. In this article, we’ll describe the attacks and how the Connectwise F5 software flaws were exploited. 

Let’s begin!

UNC5174 And The Connectwise F5 Software Flaws

A Google-owned security firm, Mandiant, has released a report providing insights about the allegedly state-backed hacker. The reports mention that a threat actor called UNC5174 may be the one behind the Connectwise F5 software flaws being exploited. In addition, researchers at Mandiant also believe that the hacker is acting on behalf of the Chinese Ministry of State Security. 

An excerpt from the report commenting on the recent activities of UNC5174 reads: “In February 2024, UNC5174 was observed exploiting ConnectWise ScreenConnect vulnerability (CVE-2024-1709) to compromise hundreds of institutions primarily in the U.S. and Canada.” 

Connect also warned its customers about CVE-2024-1709 in February. At that time, the organization had confirmed that several of its customers had fallen prey to Connectwise F5 software flaws. The researchers also found UNC5174 exploiting CVE-2023-46747. These exploits targeted the F5 BIG-IP. The report further states that the use of custom tools unique to UNC5174 was evident in both exploits.

Connectwise F5 Vulnerability And Chinese Espionage 

Researchers at Mandiant have stated that the attacks hint at the possibility of Chinese espionage. An excerpt providing further insights reads: “China-nexus actors continue to conduct vulnerability research on widely deployed edge appliances like F5 BIG-IP and ScreenConnect to enable espionage operations at scale. These operations often include rapid exploitation of recently disclosed vulnerabilities using custom or publicly available proof-of-concept exploits.”

Given the attack sequence of the recent Connectwise F5 software flaws being exploited, it can be stated that threat actors closely follow the model mentioned in the report. In addition, their operations may provide insight into the initial access broker system that the MSS uses to target global organizations. As of now, experts believe that UNC5174 will continue to pose a threat to NGOs, academic institutions, and government bodies. 

Connectwise F5 Software Flaws Exploitation Details 

Once the threat actor has developed a foothold, they begin to scan the internet-facing system for exploitable vulnerabilities. UNC5174 also creates administrative accounts that aid in executing malicious intentions, given that the accounts have elevated privileges. In addition, the threat actor also drops a C-based ELF downloader dubbed SNOWLIGHT. 

The downloader is designed to deliver the next payload called GOREVERSE it acquires from a remote URL and communicates with the SUPERSHELL. As far as exploiting the Connectwise F5 software flaws is concerned, both GOREVERESE and SUPERSHELL allow threat actors to create a reverse SSH funnel. 

This funnel is then used to launch shell sessions, facilitating arbitrary code execution. When it comes to exploiting the Connectwise F5 software flaw, threat actors also use an additional Goland-based tunneling tool called GOHEAVY. The tool is likely used to help with lateral movements within the network, allowing threat actors to expand their attack surface. 

Recent reports have brought to light an interesting occurrence where threat actors were involved in patching CVE-2023-46747. The motive behind the patch, as per the reports, is to keep others from exploiting the same loophole. It’s worth mentioning here that UNC5174 is linked to various threat actor groups and is believed to have left them in mid-2023

In addition, the threat actor now focuses on executing access operations and brokering access to compromised environments. Given this, it is possible to conclude that, in the case of the Connectwise F5 software flaws exploit, the threat actor is once again acting as an access broker with the MSS’s support. 

Conclusion 

UNC5174, allegedly backed by China, has been observed exploiting the Connectwise F5 software flaws using custom tools. As per recent reports, US defense contractors and other government entities and institutions in Asia and the UK are believed to be the prime targets of the attacks.

The exploits are highly severe, given that the threat actor can close loopholes, broker access, conduct lateral movements, and expand the attack surface. Given the severity of the attacks, deploying robust cybersecurity measures is now essential for safeguarding organizational systems and mitigating Connectwise F5 software risks.

The sources for this piece include articles in The Hacker News and The Record. 

The post Alert: Connectwise F5 Software Flaws Used To Breach Networks appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/alert-connectwise-f5-software-flaws-used-to-breach-networks/